forest_liana 6.0.0.pre.beta.2 → 6.0.2

data/app/services/forest_liana/authentication.rb

@@ -26,9 +26,7 @@ module ForestLiana
 
       user = ForestLiana::AuthorizationGetter.authenticate(
         rendering_id,
-        true,
         { :forest_token => access_token_instance.instance_variable_get(:@access_token) },
-        nil,
       )
 
       return ForestLiana::Token.create_token(user, rendering_id)

data/app/services/forest_liana/authorization_getter.rb

@@ -1,23 +1,12 @@
 module ForestLiana
   class AuthorizationGetter
-    def self.authenticate(rendering_id, use_google_authentication, auth_data, two_factor_registration)
+    def self.authenticate(rendering_id, auth_data)
       begin
         route = "/liana/v2/renderings/#{rendering_id.to_s}/authorization"
-
-        if !use_google_authentication.nil?
-          headers = { 'forest-token' => auth_data[:forest_token] }
-        elsif !auth_data[:email].nil?
-          headers = { 'email' => auth_data[:email], 'password' => auth_data[:password] }
-        end
-
-        query_parameters = {}
-
-        unless two_factor_registration.nil?
-          query_parameters['two-factor-registration'] = true
-        end
+        headers = { 'forest-token' => auth_data[:forest_token] }
 
         response = ForestLiana::ForestApiRequester
-          .get(route, query: query_parameters, headers: headers)
+          .get(route, query: {}, headers: headers)
 
         if response.code.to_i == 200
           body = JSON.parse(response.body, :symbolize_names => false)
@@ -25,15 +14,28 @@ module ForestLiana
           user['id'] = body['data']['id']
           user
         else
-          unless use_google_authentication.nil?
-            raise "Cannot authorize the user using this google account. Forest API returned an #{Errors::HTTPErrorHelper.format(response)}"
-          else
-            raise "Cannot authorize the user using this email/password. Forest API returned an #{Errors::HTTPErrorHelper.format(response)}"
-          end
+          raise generate_authentication_error response
         end
-      rescue
-        raise ForestLiana::Errors::HTTP401Error
       end
     end
+
+    private
+    def self.generate_authentication_error(error)
+      case error[:message]
+      when ForestLiana::MESSAGES[:SERVER_TRANSACTION][:SECRET_AND_RENDERINGID_INCONSISTENT]
+        return ForestLiana::Errors::InconsistentSecretAndRenderingError.new()
+      when ForestLiana::MESSAGES[:SERVER_TRANSACTION][:SECRET_NOT_FOUND]
+        return ForestLiana::Errors::SecretNotFoundError.new()
+      else
+      end
+
+      serverError = error[:jse_cause][:response][:body][:errors][0] || nil
+
+      if !serverError.nil? && serverError[:name] == ForestLiana::MESSAGES[:SERVER_TRANSACTION][:names][:TWO_FACTOR_AUTHENTICATION_REQUIRED]
+        return ForestLiana::Errors::TwoFactorAuthenticationRequiredError.new()
+      end
+
+      return StandardError.new(error)
+    end
   end
 end

data/app/services/forest_liana/oidc_client_manager.rb

@@ -8,11 +8,15 @@ module ForestLiana
         if client_data.nil?
           configuration = ForestLiana::OidcConfigurationRetriever.retrieve()
 
-          client_credentials = ForestLiana::OidcDynamicClientRegistrator.register({
-            token_endpoint_auth_method: 'none',
-            redirect_uris: [callback_url],
-            registration_endpoint: configuration['registration_endpoint']
-          })
+          if ForestLiana.forest_client_id.nil?
+            client_credentials = ForestLiana::OidcDynamicClientRegistrator.register({
+              token_endpoint_auth_method: 'none',
+              redirect_uris: [callback_url],
+              registration_endpoint: configuration['registration_endpoint']
+            })
+          else
+            client_credentials = { 'client_id' => ForestLiana.forest_client_id }
+          end
 
           client_data = { :client_id => client_credentials['client_id'], :issuer => configuration['issuer'] }
           Rails.cache.write(callback_url, client_data)

data/app/services/forest_liana/permissions_checker.rb

@@ -1,100 +1,161 @@
 module ForestLiana
   class PermissionsChecker
-    @@permissions_per_rendering = Hash.new
+    @@permissions_cached = Hash.new
+    @@scopes_cached = Hash.new
+    @@roles_acl_activated = false
+    # TODO: handle cache scopes per rendering
     @@expiration_in_seconds = (ENV['FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS'] || 3600).to_i
 
-    def initialize(resource, permission_name, rendering_id, smart_action_parameters = nil, collection_list_parameters = nil)
+    def initialize(resource, permission_name, rendering_id, user_id:, smart_action_request_info: nil, collection_list_parameters: nil)
+      @user_id = user_id
       @collection_name = ForestLiana.name_for(resource)
       @permission_name = permission_name
       @rendering_id = rendering_id
-      @smart_action_parameters = smart_action_parameters
+      @smart_action_request_info = smart_action_request_info
       @collection_list_parameters = collection_list_parameters
     end
 
     def is_authorized?
-      (is_permission_expired? || !is_allowed?) ? retrieve_permissions_and_check_allowed : true
-    end
-
-    private
+      # User is still authorized if he already was and the permission has not expire
+      # if !have_permissions_expired && is_allowed
+      return true unless have_permissions_expired? || !is_allowed
 
-    def get_permissions
-      @@permissions_per_rendering &&
-        @@permissions_per_rendering[@rendering_id] &&
-        @@permissions_per_rendering[@rendering_id]['data']
+      fetch_permissions
+      is_allowed
     end
 
-    def get_last_retrieve
-      @@permissions_per_rendering &&
-        @@permissions_per_rendering[@rendering_id] &&
-        @@permissions_per_rendering[@rendering_id]['last_retrieve']
-    end
+    private
 
-    def smart_action_allowed?(smart_actions_permissions) 
-      if !@smart_action_parameters||
-          !@smart_action_parameters[:user_id] ||
-          !@smart_action_parameters[:action_id] ||
-          !smart_actions_permissions ||
-          !smart_actions_permissions[@smart_action_parameters[:action_id]]
-        return false
+    def fetch_permissions
+      permissions = ForestLiana::PermissionsGetter::get_permissions_for_rendering(@rendering_id)
+      @@roles_acl_activated = permissions['meta']['rolesACLActivated']
+      permissions['last_fetch'] = Time.now
+      if @@roles_acl_activated
+        @@permissions_cached = permissions
+      else
+        permissions['data'] = ForestLiana::PermissionsFormatter.convert_to_new_format(permissions['data'], @rendering_id)
+        @@permissions_cached[@rendering_id] = permissions
       end
-
-      @user_id = @smart_action_parameters[:user_id]
-      @action_id = @smart_action_parameters[:action_id]
-      @smart_action_permissions = smart_actions_permissions[@action_id]
-      @allowed = @smart_action_permissions['allowed']
-      @users = @smart_action_permissions['users']
-
-      return @allowed && (@users.nil?|| @users.include?(@user_id.to_i))
+      add_scopes_to_cache(permissions)
     end
 
-    def collection_list_allowed?(scope_permissions)
-      return ForestLiana::ScopeValidator.new(
-        scope_permissions['filter'],
-        scope_permissions['dynamicScopesValues']['users']
-      ).is_scope_in_request?(@collection_list_parameters)
+    def add_scopes_to_cache(permissions)
+      permissions['data']['renderings'].keys.each { |rendering_id|
+        @@scopes_cached[rendering_id] = permissions['data']['renderings'][rendering_id]
+        @@scopes_cached[rendering_id]['last_fetch'] = Time.now
+      } if permissions['data']['renderings']
     end
 
-    def is_allowed?
-      permissions = get_permissions
+    def is_allowed
+      permissions = get_permissions_content
       if permissions && permissions[@collection_name] &&
         permissions[@collection_name]['collection']
         if @permission_name === 'actions'
           return smart_action_allowed?(permissions[@collection_name]['actions'])
-        # NOTICE: Permissions[@collection_name]['scope'] will either contains conditions filter and
-        #         dynamic user values definition, or null for collection that does not use scopes
-        elsif @permission_name === 'list' and permissions[@collection_name]['scope']
-          return collection_list_allowed?(permissions[@collection_name]['scope'])
         else
-          return permissions[@collection_name]['collection'][@permission_name]
+          if @permission_name === 'browseEnabled'
+            refresh_scope_cache if scope_cache_expired?
+            scope_permissions = get_scope_in_permissions
+            if scope_permissions
+              # NOTICE: current_scope will either contains conditions filter and
+              #         dynamic user values definition, or null for collection that does not use scopes
+              return false unless are_scopes_valid?(scope_permissions)
+            end
+          end
+          return is_user_allowed(permissions[@collection_name]['collection'][@permission_name])
         end
       else
         false
       end
     end
 
-    def retrieve_permissions
-      @@permissions_per_rendering[@rendering_id] = Hash.new
-      permissions = ForestLiana::PermissionsGetter.new(@rendering_id).perform()
-      @@permissions_per_rendering[@rendering_id]['data'] = permissions
-      @@permissions_per_rendering[@rendering_id]['last_retrieve'] = Time.now
+    def get_scope_in_permissions
+      @@scopes_cached[@rendering_id] &&
+      @@scopes_cached[@rendering_id][@collection_name] &&
+      @@scopes_cached[@rendering_id][@collection_name]['scope']
+    end
+
+    def scope_cache_expired?
+      return true unless @@scopes_cached[@rendering_id] && @@scopes_cached[@rendering_id]['last_fetch']
+
+      elapsed_seconds = date_difference_in_seconds(Time.now, @@scopes_cached[@rendering_id]['last_fetch'])
+      elapsed_seconds >= @@expiration_in_seconds
+    end
+
+    # This will happen only on rolesACLActivated (as scope cache will always be up to date on disabled)
+    def refresh_scope_cache
+      permissions = ForestLiana::PermissionsGetter::get_permissions_for_rendering(@rendering_id, rendering_specific_only: true)
+      add_scopes_to_cache(permissions)
+    end
+
+    # When acl disabled permissions are stored and retrieved by rendering
+    def get_permissions
+      @@roles_acl_activated ? @@permissions_cached : @@permissions_cached[@rendering_id]
+    end
+
+    def get_permissions_content
+      permissions = get_permissions
+      permissions && permissions['data'] && permissions['data']['collections']
+    end
+
+    def get_last_fetch
+      permissions = get_permissions
+      permissions && permissions['last_fetch']
+    end
+
+    def get_smart_action_permissions(smart_actions_permissions)
+      endpoint = @smart_action_request_info[:endpoint]
+      http_method = @smart_action_request_info[:http_method]
+
+      return nil unless endpoint && http_method
+
+      schema_smart_action = ForestLiana::Utils::BetaSchemaUtils.find_action_from_endpoint(@collection_name, endpoint, http_method)
+
+      schema_smart_action &&
+        schema_smart_action.name &&
+        smart_actions_permissions &&
+        smart_actions_permissions[schema_smart_action.name]
+    end
+
+    def is_user_allowed(permission_value)
+      return false if permission_value.nil?
+      return permission_value if permission_value.in? [true, false]
+      permission_value.include?(@user_id.to_i)
+    end
+
+    def smart_action_allowed?(smart_actions_permissions)
+      smart_action_permissions = get_smart_action_permissions(smart_actions_permissions)
+
+      return false unless smart_action_permissions
+
+      is_user_allowed(smart_action_permissions['triggerEnabled'])
+    end
+
+    def are_scopes_valid?(scope_permissions)
+      return ForestLiana::ScopeValidator.new(
+        scope_permissions['filter'],
+        scope_permissions['dynamicScopesValues']['users']
+      ).is_scope_in_request?(@collection_list_parameters)
     end
 
     def date_difference_in_seconds(date1, date2)
       (date1 - date2).to_i
     end
 
-    def is_permission_expired?
-      last_retrieve = get_last_retrieve
-
-      return true if last_retrieve.nil?
+    def have_permissions_expired?
+      last_fetch = get_last_fetch
+      return true unless last_fetch
 
-      elapsed_seconds = date_difference_in_seconds(Time.now, last_retrieve)
+      elapsed_seconds = date_difference_in_seconds(Time.now, last_fetch)
       elapsed_seconds >= @@expiration_in_seconds
     end
 
-    def retrieve_permissions_and_check_allowed
-      retrieve_permissions
-      is_allowed?
+    # Used only for testing purpose
+    def self.empty_cache
+      @@permissions_cached = Hash.new
+      @@scopes_cached = Hash.new
+      @@roles_acl_activated = false
+      @@expiration_in_seconds = (ENV['FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS'] || 3600).to_i
     end
   end
 end

data/app/services/forest_liana/permissions_formatter.rb

@@ -0,0 +1,52 @@
+module ForestLiana
+  class PermissionsFormatter
+    class << PermissionsFormatter
+      # Convert old format permissions to unify PermissionsGetter code
+      def convert_to_new_format(permissions, rendering_id)
+        permissions_new_format = Hash.new
+        permissions_new_format['collections'] = Hash.new
+        permissions_new_format['renderings'] = Hash.new
+        permissions_new_format['renderings'][rendering_id] = Hash.new
+        permissions.keys.each { |collection_name|
+          permissions_new_format['collections'][collection_name] = {
+            'collection' => convert_collection_permissions_to_new_format(permissions[collection_name]['collection']),
+            'actions' => convert_actions_permissions_to_new_format(permissions[collection_name]['actions'])
+          }
+
+          permissions_new_format['renderings'][rendering_id][collection_name] = { 'scope' => permissions[collection_name]['scope'] }
+        }
+
+        permissions_new_format
+      end
+
+      def convert_collection_permissions_to_new_format(collection_permissions)
+        {
+          'browseEnabled' => collection_permissions['list'] || collection_permissions['searchToEdit'],
+          'readEnabled' => collection_permissions['show'],
+          'addEnabled' => collection_permissions['create'],
+          'editEnabled' => collection_permissions['update'],
+          'deleteEnabled' => collection_permissions['delete'],
+          'exportEnabled' => collection_permissions['export']
+        }
+      end
+
+      def convert_actions_permissions_to_new_format(actions_permissions)
+        return nil unless actions_permissions
+
+        actions_permissions_new_format = Hash.new
+
+        actions_permissions.keys.each { |action_name|
+          allowed = actions_permissions[action_name]['allowed']
+          users = actions_permissions[action_name]['users']
+
+          actions_permissions_new_format[action_name] = Hash.new
+          actions_permissions_new_format[action_name] = {
+            'triggerEnabled' => allowed && (users.nil? || users)
+          }
+        }
+
+        actions_permissions_new_format
+      end
+    end
+  end
+end

data/app/services/forest_liana/permissions_getter.rb

@@ -1,25 +1,60 @@
 module ForestLiana
   class PermissionsGetter
-    def initialize(rendering_id)
-      @route = "/liana/v2/permissions"
-      @rendering_id = rendering_id
-    end
+    class << PermissionsGetter
+      def get_permissions_api_route
+        '/liana/v3/permissions'
+      end
+
+      # Permission format example:
+      # collections => {
+      #   {model_name} => {
+      #     collection => {
+      #       browseEnabled => true,
+      #       readEnabled => true,
+      #       editEnabled => true,
+      #       addEnabled => true,
+      #       deleteEnabled => true,
+      #       exportEnabled => true,
+      #     },
+      #     actions => {
+      #       {action_name} => {
+      #         triggerEnabled => true,
+      #       },
+      #     },
+      #   },
+      # },
+      # rederings => {
+      #   {rendering_id} => {
+      #       {collection_id} => {
+      #         scope => {
+      #           dynamicScopesValues => {},
+      #           filter => {}
+      #         }
+      #       }
+      #     }
+      #   }
+      # }
+      # With `rendering_specific_only` this returns only the permissions related data specific to the provided rendering
+      # For now this only includes scopes
+      def get_permissions_for_rendering(rendering_id, rendering_specific_only: false)
+        begin
+          query_parameters = { 'renderingId' => rendering_id }
+          query_parameters['renderingSpecificOnly'] = rendering_specific_only if rendering_specific_only
 
-    def perform
-      begin
-        query_parameters = { 'renderingId' => @rendering_id }
-        response = ForestLiana::ForestApiRequester.get(@route, query: query_parameters)
+          api_route = get_permissions_api_route
+          response = ForestLiana::ForestApiRequester.get(api_route, query: query_parameters)
 
-        if response.is_a?(Net::HTTPOK)
-          JSON.parse(response.body)
-        else
-          raise "Forest API returned an #{ForestLiana::Errors::HTTPErrorHelper.format(response)}"
+          if response.is_a?(Net::HTTPOK)
+            JSON.parse(response.body)
+          else
+            raise "Forest API returned an #{ForestLiana::Errors::HTTPErrorHelper.format(response)}"
+          end
+        rescue => exception
+          FOREST_LOGGER.error 'Cannot retrieve the permissions from the Forest server.'
+          FOREST_LOGGER.error 'Which was caused by:'
+          ForestLiana::Errors::ExceptionHelper.recursively_print(exception, margin: ' ', is_error: true)
+          nil
         end
-      rescue => exception
-        FOREST_LOGGER.error 'Cannot retrieve the permissions from the Forest server.'
-        FOREST_LOGGER.error 'Which was caused by:'
-        ForestLiana::Errors::ExceptionHelper.recursively_print(exception, margin: ' ', is_error: true)
-        nil
       end
     end
   end

data/app/services/forest_liana/resource_creator.rb

@@ -53,7 +53,7 @@ module ForestLiana
     end
 
     def has_strong_parameter
-      Rails::VERSION::MAJOR > 5 || @resource.instance_method(:update_attributes!).arity == 1
+      Rails::VERSION::MAJOR > 5 || @resource.instance_method(:update!).arity == 1
     end
   end
 end